Overview

overview

10

Static

static

098c9b9b36...2f.exe

windows7_x64

10

098c9b9b36...2f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 22:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    098c9b9b367660132eec3df473f29d2f.exe

  • Size

    2.4MB

  • MD5

    098c9b9b367660132eec3df473f29d2f

  • SHA1

    132619d5e3f88b7d96c6b6ee0167a9907cf22abf

  • SHA256

    4589222780e929e9d982ba839f37881d7861bcc07afb3c4e93acf0c20da8934e

  • SHA512

    bdc1497e606c13802992742007ec209c257c7366ec3d702b8fdf38e2b7290e197804802689643afb0a39079fc642a9853dcab865dd88e4996ecce32a9a20857f

Score
10/10
redlineinfostealerpersistencespyware

Malware Config

Extracted

Family

redline

C2

213.226.123.155:2014

Attributes
  • auth_value

    be2205f654abe3ef15343bc67642db4e

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\098c9b9b367660132eec3df473f29d2f.exe
    "C:\Users\Admin\AppData\Local\Temp\098c9b9b367660132eec3df473f29d2f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:215196
      • C:\Users\Admin\AppData\Local\Temp\Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:215832
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C powershell -EncodedCommand "PAAjAFUAMwBWAEcAMAAwAHkAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADYAagB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFMAbgBjAEIAbABLAFQAVABNACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADcASAAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:215952
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -EncodedCommand "PAAjAFUAMwBWAEcAMAAwAHkAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADYAagB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFMAbgBjAEIAbABLAFQAVABNACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADcASAAjAD4A"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:216004
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4760
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            5⤵
            • Creates scheduled task(s)
            PID:3456
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk442" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          4⤵
            PID:4192

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Installer.exe
      Filesize

      82KB

      MD5

      0759cd1397dbd963689019c7ef994df8

      SHA1

      b9c0f77040e2ed3065329aa89f7420e68fef6194

      SHA256

      42fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a

      SHA512

      10996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Installer.exe
      Filesize

      82KB

      MD5

      0759cd1397dbd963689019c7ef994df8

      SHA1

      b9c0f77040e2ed3065329aa89f7420e68fef6194

      SHA256

      42fbf11d75c5fa3895a269c62e0a23d8cc6856bef6a36c2dce81deac589b286a

      SHA512

      10996b4f98af36456b9f41a488711854123b776d5b130f8db48d9589ea7e5cccde2d7f0eabaf00f7e201dbf52878dbc1c29242f9f35acb4e6f59b80862e83331

      Download Submit
    • memory/3456-162-0x0000000000000000-mapping.dmp
      Download
    • memory/4192-161-0x0000000000000000-mapping.dmp
      Download
    • memory/4760-160-0x0000000000000000-mapping.dmp
      Download
    • memory/215196-143-0x00000000053C0000-0x00000000053DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/215196-146-0x0000000007D50000-0x000000000827C000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/215196-141-0x00000000052C0000-0x0000000005352000-memory.dmp
      Filesize

      584KB

      Download
    • memory/215196-142-0x0000000005FE0000-0x0000000006584000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/215196-130-0x0000000000000000-mapping.dmp
      Download
    • memory/215196-144-0x0000000005DF0000-0x0000000005E56000-memory.dmp
      Filesize

      408KB

      Download
    • memory/215196-145-0x0000000007650000-0x0000000007812000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/215196-131-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/215196-147-0x00000000068F0000-0x0000000006940000-memory.dmp
      Filesize

      320KB

      Download
    • memory/215196-137-0x0000000004E30000-0x0000000004E42000-memory.dmp
      Filesize

      72KB

      Download
    • memory/215196-139-0x0000000004E90000-0x0000000004ECC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/215196-138-0x0000000004F60000-0x000000000506A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/215196-140-0x0000000005240000-0x00000000052B6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/215196-136-0x0000000005410000-0x0000000005A28000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/215832-148-0x0000000000000000-mapping.dmp
      Download
    • memory/215832-152-0x0000000005490000-0x000000000549A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/215832-151-0x0000000000AC0000-0x0000000000ADE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/215952-153-0x0000000000000000-mapping.dmp
      Download
    • memory/216004-156-0x0000000005180000-0x00000000057A8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/216004-158-0x0000000005980000-0x00000000059E6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/216004-159-0x0000000006080000-0x000000000609E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/216004-157-0x00000000058E0000-0x0000000005902000-memory.dmp
      Filesize

      136KB

      Download
    • memory/216004-155-0x0000000002780000-0x00000000027B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/216004-154-0x0000000000000000-mapping.dmp
      Download
    • memory/216004-163-0x0000000006640000-0x0000000006672000-memory.dmp
      Filesize

      200KB

      Download
    • memory/216004-164-0x0000000070550000-0x000000007059C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/216004-165-0x0000000006620000-0x000000000663E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/216004-166-0x00000000079D0000-0x000000000804A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/216004-167-0x0000000007380000-0x000000000739A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/216004-168-0x0000000007410000-0x000000000741A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/216004-169-0x0000000007630000-0x00000000076C6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/216004-170-0x00000000075C0000-0x00000000075CE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/216004-171-0x00000000076D0000-0x00000000076EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/216004-172-0x0000000007610000-0x0000000007618000-memory.dmp
      Filesize

      32KB

      Download